cleanup Rest API
This commit is contained in:
@ -4,6 +4,8 @@
@ -1,21 +1,21 @@
using System.Net;
using System.Text;
using System.Text.Json;
using Backend.Database;
using Backend.Model;
using Backend.Model.Relations;
using Backend.Utils;
using Innovenergy.Backend.Database;
using Innovenergy.Backend.Model;
using Innovenergy.Backend.Model.Relations;
using Innovenergy.Backend.Utils;
using Microsoft.AspNetCore.Mvc;
using HttpContextAccessor = Microsoft.AspNetCore.Http.HttpContextAccessor;
namespace Backend.Controllers;
namespace Innovenergy.Backend.Controllers;
public class Controller
public Object Login(Credentials credentials)
@ -29,181 +29,175 @@ public class Controller
if (user is null)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
// if (!VerifyPassword(password, user))
// return new HttpResponseMessage(HttpStatusCode.Unauthorized);
#if !DEBUG
if (!VerifyPassword(credentials.Password, user))
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
var ses = new Session(user);
return ses.Token;
private static Boolean VerifyPassword(String password, User user)
var pwdBytes = Encoding.UTF8.GetBytes(password);
var saltBytes = Encoding.UTF8.GetBytes(user.Salt + "innovEnergy");
var pwdHash = Crypto.ComputeHash(pwdBytes, saltBytes);
return user.Password == pwdHash;
public Object Logout()
var ctxAccessor = new HttpContextAccessor();
var ctx = ctxAccessor.HttpContext;
using var db = Db.Connect();
var currentUser = (User)ctx.Items["User"];
var caller = GetCaller();
if (currentUser is null)
return new HttpResponseMessage(HttpStatusCode.Conflict);
if (caller is null)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
return db.DeleteSession(currentUser.Id);
using var db = Db.Connect();
return db.DeleteSession(caller.Id);
public Object UpdateS3Creds()
public Object UpdateS3Credentials()
var ctxAccessor = new HttpContextAccessor();
var ctx = ctxAccessor.HttpContext;
using var db = Db.Connect();
var currentUser = (User)ctx!.Items["User"]!;
// TODO: S3Credentials should be per session, not per user
return db.CreateAndSaveUserS3ApiKey(currentUser);
var caller = GetCaller();
if (caller is null)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
using var db = Db.Connect();
return db.CreateAndSaveUserS3ApiKey(caller);
[ProducesResponseType(typeof(User), 200)]
public Object GetUserById(Int64 id)
var ctxAccessor = new HttpContextAccessor();
var ctx = ctxAccessor.HttpContext;
using var db = Db.Connect();
var currentUser = (User)ctx.Items["User"];
var viewedUser = db.GetUserById(id);
//using the same error to prevent fishing for ids
if (currentUser == null || viewedUser == null || !db.IsParentOfChild(currentUser, viewedUser))
var caller = GetCaller();
if (caller is null)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
using var db = Db.Connect();
return viewedUser;
var user = db
.FirstOrDefault(u => u.Id == id);
return user as Object ?? new HttpResponseMessage(HttpStatusCode.Unauthorized);
[ProducesResponseType(typeof(Installation), 200)]
public Object GetInstallationById(Int64 id)
var ctxAccessor = new HttpContextAccessor();
var ctx = ctxAccessor.HttpContext;
using var db = Db.Connect();
var currentUser = (User)ctx.Items["User"];
if (currentUser == null)
var caller = GetCaller();
if (caller == null)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
using var db = Db.Connect();
var installation = db
.FirstOrDefault(i => i.Id == id);
if (installation is null)
return new HttpResponseMessage(HttpStatusCode.NotFound);
return installation;
return installation as Object ?? new HttpResponseMessage(HttpStatusCode.NotFound);
[ProducesResponseType(typeof(Folder), 200)]
public Object GetFolderById(Int64 id)
var ctxAccessor = new HttpContextAccessor();
var ctx = ctxAccessor.HttpContext;
var caller = GetCaller();
if (caller == null)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
using var db = Db.Connect();
var currentUser = (User)ctx.Items["User"];
var folder = db
.FirstOrDefault(f => f.Id == id);
if(folder is null)
return new HttpResponseMessage(HttpStatusCode.NotFound);
return folder;
return folder as Object ?? new HttpResponseMessage(HttpStatusCode.NotFound);
[Returns<Installation[]>] // assuming swagger knows about arrays but not lists (JSON)
public Object GetAllInstallations()
var ctxAccessor = new HttpContextAccessor();
var ctx = ctxAccessor.HttpContext;
using var db = Db.Connect();
var user = (User)ctx.Items["User"];
if (user == null)
var caller = GetCaller();
if (caller == null)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
using var db = Db.Connect();
return db.GetAllAccessibleInstallations(user).ToList();
return db
.ToList(); // important!
[Returns<Folder[]>] // assuming swagger knows about arrays but not lists (JSON)
public Object GetAllFolders()
var ctxAccessor = new HttpContextAccessor();
var ctx = ctxAccessor.HttpContext;
var user = (User)ctx.Items["User"];
using var db = Db.Connect();
if (user == null)
var caller = GetCaller();
if (caller == null)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
return db.GetAllAccessibleFolders(user).ToList();
using var db = Db.Connect();
return db
.ToList(); // important!
public Object UpdateUser(User updatedUser)
var ctxAccessor = new HttpContextAccessor();
var ctx = ctxAccessor.HttpContext;
using var db = Db.Connect();
var currentUser = (User)ctx.Items["User"];
if (currentUser == null || !currentUser.HasWriteAccess || !db.IsParentOfChild(currentUser, updatedUser))
// TODO: distinguish between create and update
var caller = GetCaller();
if (caller == null)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
return db.GetUserById(updatedUser.Id) != null ? db.UpdateUser(updatedUser) : db.CreateUser(updatedUser);
using var db = Db.Connect();
return db.GetUserById(updatedUser.Id) != null
? db.UpdateUser(updatedUser)
: db.CreateUser(updatedUser);
public Object UpdateInstallation(Installation updatedInstallation)
var ctxAccessor = new HttpContextAccessor();
var ctx = ctxAccessor.HttpContext;
var caller = GetCaller();
var currentUser = (User)ctx.Items["User"];
if (currentUser == null || !currentUser.HasWriteAccess)
if (caller is null || !caller.HasWriteAccess)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
using var db = Db.Connect();
var hasAccess = db.GetAllAccessibleInstallations(currentUser)
.Any(i => i.Id == updatedInstallation.Id);
if (!hasAccess)
var hasAccessToInstallation = db
.Any(i => i.Id == updatedInstallation.Id);
if (!hasAccessToInstallation)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
// TODO: accessibility by other users etc
@ -213,64 +207,68 @@ public class Controller
public Object UpdateFolder(Folder updatedFolder)
public Object UpdateFolder(Folder folder)
var ctxAccessor = new HttpContextAccessor();
var ctx = ctxAccessor.HttpContext;
using var db = Db.Connect();
var currentUser = (User)ctx.Items["User"];
if (currentUser == null || !currentUser.HasWriteAccess)
var caller = GetCaller();
if (caller is null || !caller.HasWriteAccess)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
var hasAccess = db.GetAllAccessibleFolders(currentUser)
.Any(f => f.Id == updatedFolder.Id);
using var db = Db.Connect();
var hasAccessToFolder = db
.Any(f => f.Id == folder.Id);
if (!hasAccess)
if (!hasAccessToFolder)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
// TODO: accessibility by other users etc
// TODO: sanity check changes
return db.UpdateFolder(updatedFolder);
return db.UpdateFolder(folder);
public Object DeleteUser(Int64 userId)
var ctxAccessor = new HttpContextAccessor();
var ctx = ctxAccessor.HttpContext;
using var db = Db.Connect();
var currentUser = (User)ctx.Items["User"];
var userToBeDeleted = db.GetUserById(userId);
var caller = GetCaller();
if (currentUser == null
|| userToBeDeleted == null
|| !currentUser.HasWriteAccess
|| !db.IsParentOfChild(currentUser,userToBeDeleted))
if (caller is null || !caller.HasWriteAccess)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
using var db = Db.Connect();
var userToBeDeleted = db
.FirstOrDefault(u => u.Id == userId);
if (userToBeDeleted is null)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
return db.DeleteUser(userToBeDeleted);
public Object DeleteInstallation(Int64 idOfInstallationToBeDeleted)
public Object DeleteInstallation(Int64 installationId)
var ctxAccessor = new HttpContextAccessor();
var ctx = ctxAccessor.HttpContext;
var caller = GetCaller();
if (caller is null || !caller.HasWriteAccess)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
using var db = Db.Connect();
var currentUser = (User)ctx.Items["User"];
var installationToBeDeleted = db
.FirstOrDefault(i => i.Id == idOfInstallationToBeDeleted);
.FirstOrDefault(i => i.Id == installationId);
if (installationToBeDeleted is null)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
@ -278,18 +276,20 @@ public class Controller
return db.DeleteInstallation(installationToBeDeleted);
public Object DeleteFolder(Int64 folderId)
var ctxAccessor = new HttpContextAccessor();
var ctx = ctxAccessor.HttpContext;
var caller = GetCaller();
if (caller == null)
return new HttpResponseMessage(HttpStatusCode.Unauthorized);
using var db = Db.Connect();
var currentUser = (User)ctx.Items["User"];
var folderToDelete = db
.FirstOrDefault(f => f.Id == folderId);
if (folderToDelete is null)
@ -299,5 +299,22 @@ public class Controller
private static User? GetCaller()
var ctxAccessor = new HttpContextAccessor();
return ctxAccessor.HttpContext?.Items["User"] as User;
private static Boolean VerifyPassword(String password, User user)
var pwdBytes = Encoding.UTF8.GetBytes(password);
var saltBytes = Encoding.UTF8.GetBytes(user.Salt + "innovEnergy");
var pwdHash = Crypto.ComputeHash(pwdBytes, saltBytes);
return user.Password == pwdHash;
@ -1,3 +1,6 @@
namespace Backend.Controllers;
using System.Diagnostics.CodeAnalysis;
namespace Innovenergy.Backend.Controllers;
public record Credentials(String Username, String Password);
@ -1,11 +1,11 @@
using System.Diagnostics.CodeAnalysis;
using Backend.Model;
using Backend.Model.Relations;
using Backend.Utils;
using Innovenergy.Backend.Model;
using Innovenergy.Backend.Model.Relations;
using Innovenergy.Backend.Utils;
using InnovEnergy.Lib.Utils;
using SQLite;
namespace Backend.Database;
namespace Innovenergy.Backend.Database;
public partial class Db : IDisposable
@ -97,6 +97,8 @@ public partial class Db : IDisposable
return direct.Concat(fromFolders);
public IEnumerable<Folder> GetAllAccessibleFolders(User user)
@ -1,6 +1,6 @@
using Backend.Model.Relations;
using Innovenergy.Backend.Model.Relations;
namespace Backend.Database;
namespace Innovenergy.Backend.Database;
public partial class Db
@ -1,9 +1,9 @@
using Backend.Model;
using Backend.Utils;
using Innovenergy.Backend.Model;
using Innovenergy.Backend.Utils;
using InnovEnergy.Lib.Utils;
using SQLite;
namespace Backend.Database;
namespace Innovenergy.Backend.Database;
public partial class Db
@ -37,6 +37,15 @@ public partial class Db
return Installations.Where(f => f.ParentId == parent.Id);
public IEnumerable<User> GetChildUsers(User parent)
return Users.Where(f => f.ParentId == parent.Id);
public IEnumerable<User> GetDescendantUsers(User parent)
return parent.Traverse(GetChildUsers);
public Result CreateFolder(Folder folder)
@ -1,8 +1,8 @@
using Backend.Model;
using Backend.Utils;
using Innovenergy.Backend.Model;
using Innovenergy.Backend.Utils;
using SQLite;
namespace Backend.Database;
namespace Innovenergy.Backend.Database;
public partial class Db
@ -1,18 +1,16 @@
using System.Net;
using System.Net.Mail;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using Backend.Model;
using Backend.Utils;
using Flurl.Http;
using Innovenergy.Backend.Model;
using Innovenergy.Backend.Utils;
using InnovEnergy.Lib.Utils;
using Microsoft.AspNetCore.DataProtection;
using SQLite;
#pragma warning disable CS0472
#pragma warning disable CS8602
namespace Backend.Database;
namespace Innovenergy.Backend.Database;
public partial class Db
@ -22,16 +20,16 @@ public partial class Db
public User? GetUserById(Int64 id)
return Users.FirstOrDefault(u => u.Id == id);
return Users.FirstOrDefault(u => u.Id == id);
public Boolean IsParentOfChild(User parent, User child)
var parentPointer = child.ParentId;
if (parent.Id == child.Id)
return true;
while (parentPointer != null && parentPointer != parent.Id)
parentPointer = GetUserById(parentPointer).ParentId;
@ -46,10 +44,10 @@ public partial class Db
if (GetUserByEmail(user.Email) is not null)
return Result.Error("User with that email already exists");
//Salting and Hashing password
var salt = Crypto.GenerateSalt();
var hashedPassword = Crypto.ComputeHash(Encoding.UTF8.GetBytes(user.Password),
var hashedPassword = Crypto.ComputeHash(Encoding.UTF8.GetBytes(user.Password),
Encoding.UTF8.GetBytes(salt + "innovEnergy"));
user.Salt = salt;
@ -57,49 +55,51 @@ public partial class Db
return Create(user);
public Object CreateAndSaveUserS3ApiKey(User user)
const String url = "";
const String url = "";
const String secret = "S2K1okphiCSNK4mzqr4swguFzngWAMb1OoSlZsJa9F0";
const String apiKey = "EXOb98ec9008e3ec16e19d7b593";
var payload = new
{ name = user.Email,
operations = new List<String> {"getObject", "listBucket"},
content = new List<Object>{}};
name = user.Email,
operations = new List<String> { "getObject", "listBucket" },
content = new List<Object> { }
var installationIdList = User2Installation
.Where(i => i.UserId == user.Id)
.SelectMany(i => Installations.Where(f => i.InstallationId == f.Id))
foreach (var installation in installationIdList)
payload.content.Add(new {domain = "sos", resource_type = "bucket", resource_name = installation.Name}); //TODO CHANGE NAME TO S3BUCKET
payload.content.Add(new { domain = "sos", resource_type = "bucket", resource_name = installation.Name }); //TODO CHANGE NAME TO S3BUCKET
using var hmacSha1 = new HMACSHA1(Encoding.UTF8.GetBytes(secret));
var signature = Encoding.UTF8
var keyJson = url
.WithHeader("Authorization", $"POST {apiKey};{signature}")
return SetUserS3ApiKey(user, keyJson.GetValue("key"));
public Result SetUserS3ApiKey(User user,String key)
public Result SetUserS3ApiKey(User user, String key)
user.S3Key = key;
return Update(user);
public Result UpdateUser(User user)
var oldUser = GetUserById(user.Id);
@ -108,42 +108,39 @@ public partial class Db
//Checking for unchangeable things
// TODO: depends on privileges of caller
user.Id = oldUser.Id;
user.Id = oldUser.Id;
user.ParentId = oldUser.ParentId;
user.Email = oldUser.Email;
user.Email = oldUser.Email;
return Update(user);
public Result DeleteUser(User user)
User2Folder .Delete(u => u.UserId == user.Id);
User2Folder.Delete(u => u.UserId == user.Id);
User2Installation.Delete(u => u.UserId == user.Id);
//Todo check for orphaned Installations/Folders
// GetChildUsers()
return Delete(user);
private static Boolean IsValidEmail(String email)
var emailAddress = new MailAddress(email);
return false;
return true;
@ -1,7 +1,7 @@
using Backend.Model.Relations;
using Innovenergy.Backend.Model.Relations;
using SQLite;
namespace Backend.Database;
namespace Innovenergy.Backend.Database;
public partial class Db
@ -1,7 +1,7 @@
using Backend.Model.Relations;
using Innovenergy.Backend.Model.Relations;
using SQLite;
namespace Backend.Database;
namespace Innovenergy.Backend.Database;
public partial class Db
@ -0,0 +1,24 @@
using Microsoft.OpenApi.Models;
using Swashbuckle.AspNetCore.SwaggerGen;
namespace Innovenergy.Backend;
/// <summary>
/// This is for convenient testing! Todo throw me out?
/// Operation filter to add the requirement of the custom header
/// </summary>
public class HeaderFilter : IOperationFilter
public void Apply(OpenApiOperation operation, OperationFilterContext context)
operation.Parameters ??= new List<OpenApiParameter>();
operation.Parameters.Add(new OpenApiParameter
Name = "auth",
In = ParameterLocation.Header,
Content = new Dictionary<String, OpenApiMediaType>(),
Required = false
@ -1,6 +1,4 @@
using SQLite;
namespace Backend.Model;
namespace Innovenergy.Backend.Model;
public class Folder : TreeNode
@ -1,6 +1,4 @@
using SQLite;
namespace Backend.Model;
namespace Innovenergy.Backend.Model;
public class Installation : TreeNode
@ -1,7 +1,7 @@
using System.Diagnostics.CodeAnalysis;
using SQLite;
namespace Backend.Model.Relations;
namespace Innovenergy.Backend.Model.Relations;
public abstract class Relation<L,R>
@ -1,6 +1,6 @@
using SQLite;
namespace Backend.Model.Relations;
namespace Innovenergy.Backend.Model.Relations;
public class Session : Relation<String, Int64>
@ -1,6 +1,6 @@
using SQLite;
namespace Backend.Model.Relations;
namespace Innovenergy.Backend.Model.Relations;
internal class User2Folder : Relation<Int64, Int64>
@ -1,6 +1,6 @@
using SQLite;
namespace Backend.Model.Relations;
namespace Innovenergy.Backend.Model.Relations;
internal class User2Installation : Relation<Int64, Int64>
@ -1,7 +1,6 @@
using SQLite;
namespace Backend.Model;
namespace Innovenergy.Backend.Model;
public abstract class TreeNode
@ -1,6 +1,6 @@
using SQLite;
namespace Backend.Model;
namespace Innovenergy.Backend.Model;
public class User : TreeNode
@ -1,6 +1,6 @@
using System.Security.Cryptography;
namespace Backend.Utils;
namespace Innovenergy.Backend.Utils;
public static class Crypto
@ -1,4 +1,4 @@
namespace Backend.Utils;
namespace Innovenergy.Backend.Utils;
public class Result
Binary file not shown.
@ -1,104 +1,59 @@
using Backend.Controllers;
using Backend.Database;
using Innovenergy.Backend.Database;
using Microsoft.OpenApi.Models;
using Swashbuckle.AspNetCore.SwaggerGen;
namespace Innovenergy.Backend;
using (var db = Db.Connect())
public class Program
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddControllers(); // TODO: remove magic, specify controllers explicitly
// Learn more about configuring Swagger/OpenAPI at
builder.Services.AddCors(o => o.AddDefaultPolicy(p => p.WithOrigins("*").AllowAnyHeader().AllowAnyMethod()));
builder.Services.AddSwaggerGen(config =>
config.SwaggerDoc("v1", new OpenApiInfo{ Title = "My API", Version = "V1" });
config.OperationFilter<MyHeaderFilter>(); //Todo testing throw me out
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
app.UseSwaggerUI(cfg => cfg.EnableFilter());
//================= Functions for above ===================
//Setting User for current Session
async Task SetSessionUser(HttpContext ctx, RequestDelegate next)
var headers = ctx.Request.Headers;
var hasToken = headers.TryGetValue("auth", out var token);
if (!ctx.Request.Path.ToString().Contains(nameof(Controller.Login)))
public static void Main(string[] args)
if (!hasToken)
using (var db = Db.Connect())
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddControllers(); // TODO: remove magic, specify controllers explicitly
// Learn more about configuring Swagger/OpenAPI at
builder.Services.AddCors(o => o.AddDefaultPolicy(p => p.WithOrigins("*").AllowAnyHeader().AllowAnyMethod()));
builder.Services.AddSwaggerGen(config =>
ctx.Response.StatusCode = 403;
using var db = Db.Connect();
var user = db.GetUserByToken(token.ToString());
if (user is null)
ctx.Response.StatusCode = 403;
ctx.Items["User"] = user;
await next(ctx);
/// <summary>
/// This is for convenient testing! Todo throw me out?
/// Operation filter to add the requirement of the custom header
/// </summary>
public class MyHeaderFilter : IOperationFilter
public void Apply(OpenApiOperation operation, OperationFilterContext context)
operation.Parameters ??= new List<OpenApiParameter>();
operation.Parameters.Add(new OpenApiParameter
Name = "auth",
In = ParameterLocation.Header,
Content = new Dictionary<String, OpenApiMediaType>(),
Required = false
config.SwaggerDoc("v1", new OpenApiInfo{ Title = "My API", Version = "V1" });
config.OperationFilter<HeaderFilter>(); //Todo testing throw me out
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
app.UseSwaggerUI(cfg => cfg.EnableFilter());
private static async Task SetSessionUser(HttpContext ctx, RequestDelegate next)
var headers = ctx.Request.Headers;
var hasToken = headers.TryGetValue("auth", out var token);
if (hasToken)
using var db = Db.Connect();
ctx.Items["User"] = db.GetUserByToken(token.ToString());
await next(ctx);
Reference in New Issue